CrowdStrike security update leads to widespread outages
A CrowdStrike security update has left thousands of organizations unable to boot their Windows computers.
On Thursday, CrowdStrike issued a security update to Windows machines that inadvertently caused a severe boot error, displaying the message: “It looks like Windows didn’t load correctly.” Mac and Linux systems are unaffected.
The global Windows outage associated with the CrowdStrike update has caused significant disruptions, including grounded flights, halted train services, non-operational stock exchanges, offline TV channels, and strained emergency services and hospitals.
CrowdStrike is actively working with customers impacted by this defect. To fix non-booting Windows machines with CrowdStrike installed, users must manually boot each computer in safe mode and delete a specific file, identified as “C-00000291*.sys” with a timestamp of 0409 UTC.
For more detailed instructions on how to fix affected machines, see CrowdStrike’s statement.
Microsoft’s Azure Status page features a number of recovery options, with the simplest being multiple restarts. It reports that “We have received reports of successful recovery from some customers attempting multiple Virtual Machine restart operations on affected Virtual Machines,” and that it has “received feedback from customers that several reboots (as many as 15 have been reported) may be required, but overall feedback is that reboots are an effective troubleshooting step at this stage.”
The outage does not adversely affect the security status of the affected machines, but the scale of it may present opportunities for scammers and cybercriminals to pose as employees of Microsoft, Crowdstrike, managed service providers, or corporate IT departments, via email, instant messaging, phone, video conference, or other means. Windows users affected by the outage should take steps to verify the identity of anyone reaching to provide assistance, and be wary of any unsolicited offers of help from unfamiliar sources.
CISA reports that:
Of note, CISA has observed threat actors taking advantage of this incident for phishing and other malicious activity. CISA urges organizations and individuals to remain vigilant and only follow instructions from legitimate sources. CISA recommends organizations to remind their employees to avoid clicking on phishing emails or suspicious links.
SANS reports that lookalike Crowdstrike domains are already being registered.
Our hearts go out to IT administrators who are now facing the arduous task of manually addressing each impacted device. The necessity for physical intervention on every device means resolving this issue could take days or even weeks, and many people are likely to lose their weekend or have their plans disrupted.
We also extend our sympathies to CrowdStrike tech support, who will be inundated with requests for assistance in the coming weeks.
ThreatDown infrastructure, products and services are not affected by the CrowdStrike update.
This is a developing story. For more information, check CrowdStrike’s website.